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Flow  in  hyperbolic  space 


•  3  month  SSC  project  in  2002 

•  discover  and  apply  network  visualization  tools 

•  Hyperviewer:  quasi-hierarchical  hyperbolic  space 

•  ‘fish-eye’  3-d 


Created  by  Stanford  researcher  Tamara  Munzner 
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Flow  in  hyperbolic  space 


Easily  adapted  to  a  forced-hierarchy  view  of  flow 
Opensource  C++  library  and  Ul 
Experimented  with  visual  methods 


~  colors 

-  graph  cycles 
~  scaling 

-  text  labels 

-  graph  size 

search  automation 


Symmetry  in  port  access  from  3  separate  clients 
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src/dst  ports  colored  red/blue 
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Hierarchy  showing  client  subnet  and  server  ports 
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Shapes  Vector 


Acquired  by  DARPA  in  2002 
Developed  by  Australian  DSTO 

(Defence  Science  Technology  Organisation) 
JTF-GNO  pilot  program  from  2003-2006 


What  is  it? 

Intelligent  Agents  gather  information  and  produce  inferences 
Gathers  information  from  multiple  sources 
pcap,  flow,  Snort,  syslog,  etc 

lAs  performs  automated  data  correlation  &  knowledge  extraction 
Integrates  visual  and  command-line  analysis 
Integrated  visualization  makes  use  of  human  vision 
Supports  visual  analysis  and  decision-making 
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Shapes  Vector 


Contextual 

Spatial 

Temporal 

Visual 


spatial,  temporal,  social,  topological 
physical  geography  or  metaphor 
sequences  in  time,  correlated 
use  visual  language  to  depict  objects  &  events 
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Sensors 


SVKA 


Agents  can  be  written  in  many  languages  - 

must  conform  to  the  SV  ontology  and 
knowledge  architecture  (SVKA)  specification 

Sensors  can  be  built  to  wrap  many 
information  sources  -  must  produce  SV 
ontology 

SV  ontology  is  a  knowledge  description 
languag  for  network  defense 
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Shapes  Vector -Visual  Language 

•  Easily  defined  visual  mappings 

•  No  applied  theory  of  visual  language 
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Toplogical  layout  using  visual  demarcations 
(e.g.  firewall,  network  segment,  physical  layout) 
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Automated  layout  to  arrange  hundreds  of  sub-graphs  in  a 
non-overlapping  manner. 
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Topological  layout  discovered  using  hints  in  the  data 
(e.g.TTL) 
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Expansive  vantage  points  for  network  analysis 


Shapes  Vector  Flow  Viewer 


JTF-GNO  funded  effort  to  implement  SV 

•  Use  SV  architecture  and  components 

•  DARPA  demo  system  >  operational  system 

•  New  scripts,  sensors,  agents,  and  GUI 
Results 

*  A  visual  augmentation  of  CLI 

-  Produces  a  view  of  social  topology 

-  Intuitive  view  of  gobs  of  data 

-  static  topology  and  event  replay 

-  Links  statistical  views  and  topology  view 
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Flow  Viewer 

GUI 

multiple  stats  views  linked  to  visuals 
playback  specific  ranges  &  loop 
adjust  replay  velocity 


time-skip 

IP  and  attribute  hotlists 
dynamic  filtering  controls 
GUI  managed  rwfilter 
-  filter  using  SV  ontology 
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Flow  Viewer 
Intelligent  Agents 


Flow  Sensor 

Converts  flow  Into  ontology 
produces  facts 


AMP  Agent 

uses  correlations  from  Flow  Agent 
query  made  on  every  unique  IP  seen 
produces  visual  events 


Flow 

Sensor 
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Flow 

Agent 


Flow  Agent 

correlates  records 
counts  and  corroborates 
produces  inferences 

produces  visual  events 
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Flow  Viewer 
Visual  Language 


Leverage  cultural  knowledge 


Use  metaphors  for  abstract 
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Flow  Viewer 
Visual  Language 
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Test  installation 
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Flow  Viewer 


Visualization 

•  Tested  using: 

•  1 00-5000  nodes 

•  I M-3M  flows 

~  1 0K-300K  flows  per  hour 

Integrated  filtering  (rwfilter,  SVKA  filtering,  visual  filter) 
«  Visual  ID 

-  Queries 

~  Grouping  (e.g.  domain,  netblock,  vulnerability) 

-  Replay-mode  or  Real-time 

-  Historic  visual  context 

Replay  ‘on  top  of’  known  incident 
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Flow  Viewer 
data  prep 

Include  r  r 

•  Incoming  &  outgoing 

•  Hub  &  core-to-core  traffic 
«  Wide  port  ranges 

Time-span  wider  than  the  activity  (minutes  to  hours) 
Suspect  IPs  and  ranges 

Filter 

-  Superfluous  port  traffic  (e.g.  80, 53, 25) 

-  IPs  that  are  unrelated  to  the  incident 

Sampling  &  Time 
~  Dense  data 

-  Smear  data  across  time  resolution  (~  I  second) 
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Flow  Viewer  Performance 


Minimum  Frames  per  Second 


60 

48 

36 

24 

12 


Exceptional  30-60  fps 


Good  20-30  fps 


Acceptable  1 0-20  fps 


Unacceptable  <  1 0  fps 


#  of  visible  objects 


**Graphics  performance  on  dual  1 .5GHz  SPARC  SunFire  v440  with  Sun  XVR  1 200 
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Flow  Viewer  Performance 


Real-time 

Performance 

Real-time 

Records  /  Hour 

Optimal  playback  rate 

Optimal 

1 0K-30K/hour 

I0X  Real-time 

Acceptable 

40K- 1  OOK/hour 

Real-time 

Poor 

1 00K-300K/hour 

I/I0X  Real-Time 

Sparse  data  sets  can  be  viewed  quickly 
e.g.  months  of  data  in  minutes 


Dense  data  sets  can  be  viewed  slowly  or  filtered 
e.g.  seconds  of  data  in  minutes 
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Knowledge  Depth  vs  Breadth 


What  trade-offs  are  we  making? 


*  Ul  Feedback? 

•  Haptic  vs  visual  feedback 

•  Data  access? 

-  Random  sequential  access 

-Training? 

-  Under-learned  vs  over-learned 
Tool  complexity 

-  Meaning? 

-  Visual  semantic  vs  text 

-  Intuitive/Iconic  vs  cryptic/coded 
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SPAWAR 

Systems  Center 
San  Diego 


Next  Generation  Tactical  Situation 
Assessment  Technology 
(NG-TSAT) 


Objective:  Next-generation  Tactical  Chat.  Icon-based  situation 
assessment  (SA)language  supported  by  wireless  gesture- 
recognition  gloves  used  in  hostile  or  noisy  (silence-mandated) 
environments 

Description  of  Effort: 

1.  Linguistic  Analysis:  Analysis  of  current  C2  chat  logs  to 
determine  speech  patterns  and  repetitive  SA  concepts/themes 

2.  Iconic  Language  Development:  Output  of  linguistic  analysis 
determines  candidate  icons  representing  most  prevalent  SA 
“themes;”  development  of  prototype  C2  iconic  SA  language 

3.  Wireless,  Gesture-Recognition  Gloves:  Develop  wireless 
gloves  that  recognize  C2  icons/gestures  which  can  transmit 
across  network  to  distributed  warfighters  (replacing  keyboard 
input  when  in  MOPP) 

Benefits  of  TSAT 

Compressed  Chat  (25%  i  content;  50%  i  reduction  In  production  time)  for  rapid  SA  dissemination. 
Gesture-recognition  In  very  noisy,  distributed  ops,  or  In  very  austere  environments  (e.g.,  the  moon) 

Challenges: 

1.  No  current  method  or  theory  for  chat-meaning  compression;  currently  done  in  prose;  computer 
linguistic  analysis  of  unstructured  text  still  neoteric. 

2.  Wireless  gesture  recognition  glove  technology  still  In  infant  stages  of  development;  focused  on 
commercial  animation  support,  not  on  disciplined  language  support 

TRL:  Chat:  TRL 1-2;  Gesture-recognition:  TRL 1-4 


Major  Milestones  FY06: 

Linguistic  analysis  discovery  of  common  C2  SA  themes 
Development  of  icon/symbols  for  candidate  SA  themes 
Development  of  proof-of-concept  wireless  gesture-recognition  glove 

Period  of  Performance:  2007-2012 

PI  contact  Info:  Dr.  LorRaine  Duffy,  (619)  553-9222, 
LorRaine.Duffy@navy.mil,  SSC  San  Diego,  CA 
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Synaesthesia 

Synaesthesia:  "a  neurological  condition  in  which  two  or  more  senses 
are  coupled." 

"loud  color"  "sharp  laugh"  "bitter  wind" 

grapheme  color  synesthesia  -  letters  or  numbers  are  perceived 

as  inherently  lored 


How  many  numbers  contain  the  digit  6? 


9910  9972  3292  7602  82  9054 
5636  2710  1944  6330  6560  0101 
5177  1955  7029  4083  4643  5710 
4935  2256  1495  1025  8375  0518 
80  797  2610  3000  8784  1054  2383 
9728  4523  573  5914  7975  281 
6664  2682  7689  7753  273  5597 
799  9960  1437  4534  8601  4563 
6734  647  9409  6543  4827  2398 
1532 
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Is  this  easier? 


10  72  32  2  7602  82  051  636 

2710  1944  6330  6560  8101  5177 
1  55  702  083  6  3  5710  -35 

2256  1495  1025  8375  8518  80  7  7 
2610  3008  8781  1854  2383  728 

23  573  5  1  7  75  281  666  2682 
768  7753  273  55  7  799  &  60  1  37 
3  8601  563  673  6  7  0 

65  3  827  23  8  1 532 
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Emulating  Synaesthesia 


These  methods  can  be  used  achieve 
sequence  disambiguation  and 


9910  9972  3292  7602  82  9054 
5636  2710  1944  6330  6560  8101 
5177  1955  7029  4083  4643  5710 
4935  2256  1495  1025  8375  8518 
80  797  2610  3008  8784  1854  2383 
9728  4523  573  5914  7975  281 
6664  2682  7689  7753  273  5597 
799  9960  1437  4534  8601  4563 
6734  647  9409  6543  4827  2398 
1532 


3292  7602  82 

5636  2710  1944  6330  6560  8101 
5177  1955  7029  4083  4643  5710 

4931  2256  1495  1025  8375  8518 
80  797  2610  3008  8784  1854  2383 
4523  573  5914  7975  281 
6664  2682  7689  7753  273  >597 
799  1437  4534  8601  4563 

6734  647  6543  2398 

1532 
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Emulating  Synaesthesia 


1 92. 1 68. 1 .232 
1 29. 1 68. 1.233 
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Language  Domains 


American  English 
Grammar/Structure 


Standard 
American  English 


Mathematics 


Medicine 


Non-standard 
American  English 


American  English 
Concept  Map 


Cultures  and  knowledge  domains  don’t  necessarily 
use  the  same  lexicon  or  even  the  same  grammar! 


How  does  the  CND  lexicon  map  to  common  language? 
Technical  language?  Military/tactical  language? 
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